Line data Source code
1 : /*
2 : *
3 : *
4 : * Distributed under the OpenDDS License.
5 : * See: http://www.OpenDDS.org/license.html
6 : */
7 :
8 :
9 :
10 : #ifndef OPENDDS_DCPS_SECURITY_AUTHENTICATIONBUILTINIMPL_H
11 : #define OPENDDS_DCPS_SECURITY_AUTHENTICATIONBUILTINIMPL_H
12 :
13 : #include "OpenDDS_Security_Export.h"
14 : #include "Authentication/LocalAuthCredentialData.h"
15 : #include "SSL/DiffieHellman.h"
16 :
17 : #include <dds/DdsSecurityCoreC.h>
18 : #include <dds/Versioned_Namespace.h>
19 : #include <dds/DCPS/dcps_export.h>
20 : #include <dds/DCPS/GuidUtils.h>
21 :
22 : #include <ace/Thread_Mutex.h>
23 :
24 : #include <map>
25 : #include <string>
26 : #include <memory>
27 :
28 : #if !defined (ACE_LACKS_PRAGMA_ONCE)
29 : #pragma once
30 : #endif /* ACE_LACKS_PRAGMA_ONCE */
31 :
32 : class DDS_TEST;
33 :
34 : OPENDDS_BEGIN_VERSIONED_NAMESPACE_DECL
35 :
36 : namespace OpenDDS {
37 : namespace Security {
38 :
39 : const char Identity_Status_Token_Class_Id[] = "DDS:Auth:PKI-DH:1.0";
40 : const char Auth_Peer_Cred_Token_Class_Id[] = "DDS:Auth:PKI-DH:1.0";
41 :
42 : const char dds_cert_sn[] = "dds.cert.sn";
43 : const char dds_cert_algo[] = "dds.cert.algo";
44 :
45 : const char dds_ca_sn[] = "dds.ca.sn";
46 : const char dds_ca_algo[] = "dds.ca.algo";
47 :
48 : /**
49 : * @class AuthenticationBuiltInImpl
50 : *
51 : * @brief Implements the DDS built-in version of the Authentication
52 : * plugin for the DDS Security Specification
53 : *
54 : * See the DDS security specification, OMG formal/17-09-20, for a description of
55 : * the interface this class is implementing.
56 : *
57 : */
58 : class OpenDDS_Security_Export AuthenticationBuiltInImpl
59 : : public virtual DDS::Security::Authentication
60 : {
61 : public:
62 :
63 : /// include in PropertyQosPolicy to add optional properties to Handshake tokens
64 : static const char* PROPERTY_HANDSHAKE_DEBUG;
65 :
66 : AuthenticationBuiltInImpl();
67 : virtual ~AuthenticationBuiltInImpl();
68 :
69 : virtual ::DDS::Security::ValidationResult_t validate_local_identity(
70 : ::DDS::Security::IdentityHandle & local_identity_handle,
71 : DCPS::GUID_t & adjusted_participant_guid,
72 : ::DDS::Security::DomainId_t domain_id,
73 : const ::DDS::DomainParticipantQos & participant_qos,
74 : const DCPS::GUID_t & candidate_participant_guid,
75 : ::DDS::Security::SecurityException & ex);
76 :
77 : virtual ::CORBA::Boolean get_identity_token(
78 : ::DDS::Security::IdentityToken & identity_token,
79 : ::DDS::Security::IdentityHandle handle,
80 : ::DDS::Security::SecurityException & ex);
81 :
82 : virtual ::CORBA::Boolean get_identity_status_token(
83 : ::DDS::Security::IdentityStatusToken & identity_status_token,
84 : ::DDS::Security::IdentityHandle handle,
85 : ::DDS::Security::SecurityException & ex);
86 :
87 : virtual ::CORBA::Boolean set_permissions_credential_and_token(
88 : ::DDS::Security::IdentityHandle handle,
89 : const ::DDS::Security::PermissionsCredentialToken & permissions_credential,
90 : const ::DDS::Security::PermissionsToken & permissions_token,
91 : ::DDS::Security::SecurityException & ex);
92 :
93 : virtual ::DDS::Security::ValidationResult_t validate_remote_identity(
94 : ::DDS::Security::IdentityHandle & remote_identity_handle,
95 : ::DDS::Security::AuthRequestMessageToken & local_auth_request_token,
96 : const ::DDS::Security::AuthRequestMessageToken & remote_auth_request_token,
97 : ::DDS::Security::IdentityHandle local_identity_handle,
98 : const ::DDS::Security::IdentityToken & remote_identity_token,
99 : const DCPS::GUID_t & remote_participant_guid,
100 : ::DDS::Security::SecurityException & ex);
101 :
102 : virtual ::DDS::Security::ValidationResult_t begin_handshake_request(
103 : ::DDS::Security::HandshakeHandle & handshake_handle,
104 : ::DDS::Security::HandshakeMessageToken & handshake_message,
105 : ::DDS::Security::IdentityHandle initiator_identity_handle,
106 : ::DDS::Security::IdentityHandle replier_identity_handle,
107 : const ::DDS::OctetSeq & serialized_local_participant_data,
108 : ::DDS::Security::SecurityException & ex);
109 :
110 : virtual ::DDS::Security::ValidationResult_t begin_handshake_reply(
111 : ::DDS::Security::HandshakeHandle & handshake_handle,
112 : ::DDS::Security::HandshakeMessageToken & handshake_message_out,
113 : ::DDS::Security::IdentityHandle initiator_identity_handle,
114 : ::DDS::Security::IdentityHandle replier_identity_handle,
115 : const ::DDS::OctetSeq & serialized_local_participant_data,
116 : ::DDS::Security::SecurityException & ex);
117 :
118 : virtual ::DDS::Security::ValidationResult_t process_handshake(
119 : ::DDS::Security::HandshakeMessageToken & handshake_message_out,
120 : const ::DDS::Security::HandshakeMessageToken & handshake_message_in,
121 : ::DDS::Security::HandshakeHandle handshake_handle,
122 : ::DDS::Security::SecurityException & ex);
123 :
124 : virtual ::DDS::Security::SharedSecretHandle* get_shared_secret(
125 : ::DDS::Security::HandshakeHandle handshake_handle,
126 : ::DDS::Security::SecurityException & ex);
127 :
128 : virtual ::CORBA::Boolean get_authenticated_peer_credential_token(
129 : ::DDS::Security::AuthenticatedPeerCredentialToken & peer_credential_token,
130 : ::DDS::Security::HandshakeHandle handshake_handle,
131 : ::DDS::Security::SecurityException & ex);
132 :
133 : virtual ::CORBA::Boolean set_listener(
134 : ::DDS::Security::AuthenticationListener_ptr listener,
135 : ::DDS::Security::SecurityException & ex);
136 :
137 : virtual ::CORBA::Boolean return_identity_token(
138 : const ::DDS::Security::IdentityToken & token,
139 : ::DDS::Security::SecurityException & ex);
140 :
141 : virtual ::CORBA::Boolean return_identity_status_token(
142 : const ::DDS::Security::IdentityStatusToken & token,
143 : ::DDS::Security::SecurityException & ex);
144 :
145 : virtual ::CORBA::Boolean return_authenticated_peer_credential_token(
146 : const ::DDS::Security::AuthenticatedPeerCredentialToken & peer_credential_token,
147 : ::DDS::Security::SecurityException & ex);
148 :
149 : virtual ::CORBA::Boolean return_handshake_handle(
150 : ::DDS::Security::HandshakeHandle handshake_handle,
151 : ::DDS::Security::SecurityException & ex);
152 :
153 : virtual ::CORBA::Boolean return_identity_handle(
154 : ::DDS::Security::IdentityHandle identity_handle,
155 : ::DDS::Security::SecurityException & ex);
156 :
157 : virtual ::CORBA::Boolean return_sharedsecret_handle(
158 : ::DDS::Security::SharedSecretHandle* sharedsecret_handle,
159 : ::DDS::Security::SecurityException & ex);
160 :
161 : private:
162 :
163 : struct RemoteParticipantData : public DCPS::RcObject {
164 : typedef DCPS::RcHandle<RemoteParticipantData> shared_ptr;
165 :
166 : // Identity data
167 :
168 : DCPS::GUID_t participant_guid;
169 : DDS::Security::IdentityHandle local_participant;
170 :
171 : // Handshake data
172 :
173 : DDS::Security::AuthRequestMessageToken local_auth_request;
174 : DDS::Security::AuthRequestMessageToken remote_auth_request;
175 : DDS::Security::IdentityHandle initiator_identity;
176 : DDS::Security::IdentityHandle replier_identity;
177 : DDS::Security::SharedSecretHandle_var shared_secret;
178 : DDS::Security::HandshakeMessageToken request;
179 : DDS::Security::HandshakeMessageToken reply;
180 : DDS::Security::ValidationResult_t state;
181 : SSL::DiffieHellman::unique_ptr diffie_hellman;
182 : SSL::Certificate::unique_ptr certificate;
183 : DDS::OctetSeq c_perm;
184 : DDS::OctetSeq hash_c1;
185 : DDS::OctetSeq hash_c2;
186 :
187 16 : RemoteParticipantData()
188 32 : : participant_guid(DCPS::GUID_UNKNOWN)
189 16 : , local_participant(DDS::HANDLE_NIL)
190 16 : , initiator_identity(DDS::HANDLE_NIL)
191 16 : , replier_identity(DDS::HANDLE_NIL)
192 16 : , state(DDS::Security::VALIDATION_FAILED)
193 : {
194 16 : }
195 : };
196 : typedef std::map<DDS::Security::IdentityHandle, RemoteParticipantData::shared_ptr> RemoteParticipantMap;
197 :
198 : struct LocalParticipantData : public DCPS::RcObject {
199 : typedef DCPS::RcHandle<LocalParticipantData> shared_ptr;
200 :
201 : DCPS::GUID_t participant_guid;
202 : LocalAuthCredentialData::shared_ptr credentials;
203 : RemoteParticipantMap validated_remotes;
204 : bool handshake_debug;
205 :
206 22 : LocalParticipantData()
207 44 : : participant_guid(DCPS::GUID_UNKNOWN)
208 22 : , credentials()
209 22 : , validated_remotes()
210 22 : , handshake_debug(false)
211 : {
212 22 : }
213 : ~LocalParticipantData();
214 : };
215 : typedef std::map<DDS::Security::IdentityHandle, LocalParticipantData::shared_ptr> LocalParticipantMap;
216 : LocalParticipantMap local_participants_;
217 :
218 : LocalParticipantData::shared_ptr get_local_participant(DDS::Security::IdentityHandle handle);
219 :
220 : typedef std::pair<LocalParticipantData::shared_ptr, RemoteParticipantData::shared_ptr> HandshakeDataPair;
221 : typedef std::map<DDS::Security::HandshakeHandle, HandshakeDataPair> HandshakeDataMap;
222 : HandshakeDataMap handshake_data_;
223 :
224 : HandshakeDataPair get_handshake_data(DDS::Security::HandshakeHandle handle);
225 :
226 : /// @brief Finds the local and remote data objects associated with h1 and h2 and
227 : /// creates a new handshake pair with them. It does not matter which handle is local
228 : /// and which is remote.
229 : /// @param h1 Either a local or remote handle.
230 : /// @param h2 Either a local or remote handle.
231 : HandshakeDataPair make_handshake_pair(DDS::Security::IdentityHandle h1,
232 : DDS::Security::IdentityHandle h2);
233 :
234 : DDS::Security::ValidationResult_t process_handshake_reply(
235 : DDS::Security::HandshakeMessageToken & handshake_message_out,
236 : const DDS::Security::HandshakeMessageToken & handshake_message_in,
237 : DDS::Security::HandshakeHandle handshake_handle,
238 : DDS::Security::SecurityException & ex);
239 :
240 : DDS::Security::ValidationResult_t process_final_handshake(
241 : const DDS::Security::HandshakeMessageToken & handshake_message_in,
242 : DDS::Security::HandshakeHandle handshake_handle,
243 : DDS::Security::SecurityException & ex);
244 :
245 : bool is_handshake_initiator(const DCPS::GUID_t& local, const DCPS::GUID_t& remote);
246 :
247 : bool check_class_versions(const char* remote_class_id);
248 :
249 : std::string build_class_id(const std::string& message_ext);
250 :
251 : std::string get_extension(const char* class_id);
252 :
253 : CORBA::Long get_next_handle();
254 :
255 : struct was_guid_validated
256 : {
257 16 : was_guid_validated(const DCPS::GUID_t& expected) : expected_(expected) {}
258 :
259 0 : bool operator()(const RemoteParticipantMap::value_type& validated) const
260 : {
261 0 : return (expected_ == validated.second->participant_guid);
262 : }
263 : private:
264 : const DCPS::GUID_t& expected_;
265 : };
266 :
267 : struct local_has_remote_handle
268 : {
269 0 : local_has_remote_handle(DDS::Security::IdentityHandle h) : h_(h) {}
270 :
271 0 : bool operator()(const LocalParticipantMap::value_type& local) const
272 : {
273 0 : const RemoteParticipantMap& remotes = local.second->validated_remotes;
274 0 : return remotes.find(h_) != remotes.end();
275 : }
276 : private:
277 : DDS::Security::IdentityHandle h_;
278 : };
279 :
280 : DDS::Security::AuthenticationListener_ptr listener_ptr_;
281 :
282 : ACE_Thread_Mutex identity_mutex_;
283 : ACE_Thread_Mutex handshake_mutex_;
284 : ACE_Thread_Mutex handle_mutex_;
285 :
286 : CORBA::Long next_handle_;
287 :
288 : };
289 : } // namespace Security
290 : } // namespace OpenDDS
291 :
292 : OPENDDS_END_VERSIONED_NAMESPACE_DECL
293 :
294 : #endif
|